Main menu

Facebook Exposed 87 Million Users to Cambridge Analytica

April 5, 2018

Facebook now says the data firm Cambridge Analytica gained unauthorized access to up to 87 million users' data, mainly in the United States. This figure is far higher than the 50 million users that were previously reported.

Facebook's chief technology officer Mike Schroepfer shared this figure at the end of a lengthy—and somewhat unrelated—blog post Wednesday that laid out a slew of changes Facebook is making to restrict access to user data.

"In total, we believe the Facebook information of up to 87 million people—mostly in the US—may have been improperly shared with Cambridge Analytica," Schroepfer wrote toward the bottom of the post. Schroepfer noted that beginning April 9, Facebook will make it possible for users to see if their data was exposed to Cambridge Analytica. Unlike the well-hidden tool Facebook created to tell users whether they'd interacted with Russian trolls in the past, the new Cambridge Analytica disclosure will appear at the top of users' News Feeds.

'Facebook's willingness to obscure and bury key details about the inappropriate use of their platform continues.'

Jonathan Albright, Columbia University

In mid-March The New York Times, along with The Guardian and The Observer, reported that Cambridge Analytica and its British counterpart SCL had harvested the data of 50 million Facebook users through an app called thisisyourdigitallife, which offered personality quizzes. At the time, when Facebook users installed apps connected to the platform, they also exposed data from many of their friends to the app developer. When the news broke, Facebook confirmed only that 270,000 people had downloaded that app, but until now had never refuted reports that 50 million users' data had been accessed.

Facebook CEO Mark Zuckerberg, who is scheduled to testify before the House Energy and Commerce Committee next week, addressed the updated numbers in a call with reporters Wednesday afternoon. Zuckerberg explained that over the last few days, the company took stock of all of the people who used the thisisyourdigitallife app and analyzed the maximum number of friends they had during the period of time when the app was live. "We didn't put out the 50 million number. That came from other parties. We wanted to wait until we had the full understanding," Zuckerberg explained, adding, "I'm quite confident it’s not more than 87 million."

While Facebook has cracked down specifically on Cambridge Analytica, it is clear that company is only a convenient example of a far more pervasive problem.

"By tacking 37 million more people to an API-focused news update from the CTO, Facebook's willingness to obscure and bury key details about the inappropriate use of their platform continues," says Jonathan Albright, research director at Columbia University's Tow Center for Digital Journalism, who has become one of Facebook's chief watchdogs and critics. Albright was the first to suggest that Russian propaganda had reached millions more people than the initial 10 million Facebook initially acknowledged last fall.

'I wish I could snap my fingers and in six months or even two months have solved all of these issues.'

Facebook CEO Mark Zuckerberg

In addition to fleshing out the new disclosure about Cambridge Analtyica, Zuckerberg also spoke with reporters about the changes Facebook has made regarding data access recently, including new restrictions to its APIs which previously allowed app developers to scrape data on everything from people’s religious preference and political affiliation to the guests lists of the events they RSVPed to. Going forward, Facebook will individually approve any app that asks users to share their check-ins, likes, photos, posts, videos, events, and groups. It will also prevent apps from using Facebook Login to collect users’ personal information, including details like their religious or political views, relationship status, education and work history, and more.

Zuckerberg also noted that the company is shutting down the ability to search for users' profiles by using their phone numbers. In an alarming revelation, he said that recent investigations into data privacy have revealed malicious actors cycling through hundreds of thousands of IP addresses in order to search for users by their phone numbers and scrape their public profile information. Until now, users have had to opt out of making their profiles searchable by phone number. Most, Zuckerberg said, never opted out.

"It's reasonable to expect if you had that setting turned on that at some point in the last several years, someone has accessed your public information," Zuckerberg said.

Though the CEO accepted blame for all of these data privacy and trust issues, saying, "It was my mistake," he also often put the onus on Facebook users to know better. He mentioned, for instance, that the only information that bad actors would be able to scrape using a phone number was information that was public on Facebook user profiles. Of the researcher who built the data-scraping app for Cambridge Analytica, Zuckerberg said, "Yes, he broke the policy, he broke people’s expectations, but also, people chose to share that data with him."

And yet it was Zuckerberg and the company he built that made people's data privacy settings so open by default, and made it difficult to find, understand, and adjust those settings. It was Facebook that made it possible for app developers to ask users for so much of their data as the cost of admission. And it was Zuckerberg and his lieutenants that failed to take action for over a year after finding out that one—but likely more—of those app developers misused that valuable data.

Just as the culture that created the Cambridge Analytica scandal took years to develop, Zuckerberg acknowledged it will take at least as long to undo. "I wish I could snap my fingers and in six months or even two months have solved all of these issues," Zuckerberg said. "I do think this is a multi-year effort."